dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
986

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

1 recommendation

antdude

Premium Member

Good Passwords Made Easy

»www.osnews.com/story/265 ··· ade_Easy

"If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!"

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

1 recommendation

Cudni

MVM

As simple as that and yet vastly effective

Cudni

DannyZ
Gentoo Fanboy
Premium Member
join:2003-01-29
united state

2 recommendations

DannyZ to antdude

Premium Member

to antdude
Click for full size

Ian1
Premium Member
join:2002-06-18
ON

1 recommendation

Ian1

Premium Member

That cartoon always annoys me. It's wildly incorrect unless you assume that password crackers always use brute-force. And since they don't, it's a terrible assumption.

Dictionary based attacks WILL assume that you might string one, two, three, four, five..... common english words together to form a pass-phrase. The estimation of the entropy differences here is wildly optimistic. That said, four english words is still a pretty good password.

TheTechGuru
join:2004-03-25
TEXAS

TheTechGuru to antdude

Member

to antdude
»www.grc.com/haystack.htm

Nuff said!

DannyZ
Gentoo Fanboy
Premium Member
join:2003-01-29
united state

DannyZ to Ian1

Premium Member

to Ian1
I use strings of words with different languages mixed in sometimes. I think it's pretty secure.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

1 recommendation

sivran to antdude

Premium Member

to antdude
"Never use the same password twice" should be "never use the same password on sensitive sites" IMO. Creating unique passwords for every single site is needlessly annoying.

Someone cracks my account here, for example, sure they could try the same password elsewhere (let's assume for the moment they find the one other place I have the same username) and it'll work--but guess what, it's another meaningless account and what have they gained? Nothing that could help them hack another account. No PII. They try to take that pass and hit my banks, any work stuff, or anything remotely sensitive, they'll be tryin forever.
quote:
He copies and pastes those passwords into accounts so that, in the event an attacker installs keystroke logging software on his computer, they cannot record the keystrokes to his password.
I don't think I need to elaborate on how stupid this is.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy to antdude

MVM

to antdude
Sorry, this is what I'm doing my next speech on for my speech class. It is a persuasive speech, by the way.

A password manager is the only way to go. I use the premium version of LastPass with a Yubikey for two factor authentication.

The next best is the just jam on the keyboard and save the results in an encrypted text file. The problem is if the only copy is on a USB drive you're just asking to be locked out of every account that is listed.

The best advise in the article is NEVER USE THE SAME PASSWORD TWICE. The problem is there is no way to remember all of the different passwords, plus user name, for the different sites. With the number of sites that get hacked your user name and password will probably be on one of them in any given year, if you have any real web usage. If you're lucky it will become public. If you're really lucky they salted and hashed the passwords. However, if they got hacked they may have stored your data in plain text and won't make it public they got hacked. Any site you use that password on will be compromised also.

Using a password manager such as LastPass helps protect you from spoofed sites. If the link looks like PayPal, but isn't, LastPass won't be able to fill in your data because the site doesn't match anything in your password list.

A password manager can create and remember large complex passwords for many sites, easily. There are many more benefits, especially with LastPass. Such as one time use passwords, generate one, store it in your safe deposit box. If you die someone will have access to all of your password protected accounts, quickly and easily.

No, I don't make any money from LastPass, but I do think it is a great, and inexpensive product.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird to antdude

Premium Member

to antdude
One observation seems in order here. If a person uses any on-site software password manager, they need to be absolutely certain to keep a written record off-site of any passwords for financial or paid-subscription accounts (as well as anything else they deem truly important). Houses can burn down or flood out - and they generally take down their computers with them. Laptops and PCs can get stolen. Cloud access can become problematic for a variety of reasons or at certain times. In those situations, with a new or borrowed computer, the last thing anyone wants is to find themselves locked out of critical or important accounts just because they can't get at their passwords. Just sayin'...

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

I know that LastPass allows you to download your passwords if you want. There is also an "offline" option on the Apple App. However, if your'e accessing an account odds are you have access to the cloud.

LastPass - Where is my data stored on my computer?

KodiacZiller
Premium Member
join:2008-09-04
73368

KodiacZiller to Ian1

Premium Member

to Ian1
said by Ian1:

That cartoon always annoys me. It's wildly incorrect unless you assume that password crackers always use brute-force. And since they don't, it's a terrible assumption.

Dictionary based attacks WILL assume that you might string one, two, three, four, five..... common english words together to form a pass-phrase. The estimation of the entropy differences here is wildly optimistic. That said, four english words is still a pretty good password.

If the words are chosen perfectly randomly from an English dictionary, then the machine would have to guess from the dictionary randomly. This is the whole idea behind the diceware method.
Airtj
join:2001-08-08
Clifton, VA

Airtj

Member

I too use lastpass but with Google Authenticator.

I recall reading something in this forum on how to create good passwords. Something you can easily remember lets say Nissan for a car you own and the model is lets say 300zx.

You then include the site you are accessing and put them together. That way you can easily remember each password for each site.

So using that example the password here would be:

NissanBroadBand300zx

Gmail would be

NissanGmail300zx

Or something like that, depending on where you place each item and if you capitalize them or not.

Ian1
Premium Member
join:2002-06-18
ON

Ian1 to KodiacZiller

Premium Member

to KodiacZiller
said by KodiacZiller:

If the words are chosen perfectly randomly from an English dictionary, then the machine would have to guess from the dictionary randomly. This is the whole idea behind the diceware method.

I'm aware of that. But that wasn't the complexity calculation used by the cartoon author.

AVD
Respice, Adspice, Prospice
Premium Member
join:2003-02-06
Onion, NJ

1 recommendation

AVD

Premium Member

Rule of Thumb: if you need a NYT article to tell you the rules about passwords, you are already doomed.

KodiacZiller
Premium Member
join:2008-09-04
73368

KodiacZiller to Ian1

Premium Member

to Ian1
said by Ian1:

said by KodiacZiller:

If the words are chosen perfectly randomly from an English dictionary, then the machine would have to guess from the dictionary randomly. This is the whole idea behind the diceware method.

I'm aware of that. But that wasn't the complexity calculation used by the cartoon author.

Maybe not, but the diceware method is still the best way to create strong passwords that are easy to remember.

For example, let's say that you have a word list of 10,000 English words to choose from. Let's further assume your adversary *knows* that you used this list. Here's the entropy for passwords made with different lengths:

4 words = 53 bits
5 words = 66 bits
6 words = 80 bits
7 words = 93 bits

So you'll need at least 6 words to be sure that the password won't be cracked. 80 bits is plenty strong. The nice thing about this is the adversary can know the wordlist and it doesn't matter as long as your password is long enough and chosen *randomly*.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran

Premium Member

Now if only we could get all websites to accept the long passwords required for such an approach.

Ian1
Premium Member
join:2002-06-18
ON

Ian1

Premium Member

said by sivran:

Now if only we could get all websites to accept the long passwords required for such an approach.

Well, that and the fact that typing in a 6 word password is a little on the cumbersome side.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy to sivran

MVM

to sivran
said by sivran:

Now if only we could get all websites to accept the long passwords required for such an approach.

Amen. There should be no limit on length, other than maybe less than 256. It ticks me off that I can only have a 12 character password on my 401k, as I've moved up to 15 character passwords.